Ubiquiti Edgerouter X VPN Setup
-
@scottalanmiller However people in the same coffee shop can't access it.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@DustinB3403 said:
@scottalanmiller said:
@Dashrender said:
How do you keep them from seeing each other?
THey are supposed to see each other, that's what a VPN is for.
I think he meant the public and private networks.
No - what I was talking about... Let's say the OP has 10 clients and they all want to use the OP's ERX as their VPN to the internet. in a normal situation, all those logged into the VPN would traditionally be able to see each other, and interact - I would assume that the OP would not want this...
But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.
Why would someone want to use a VPN to the Internet? Do you mean to do a proxy so that they appear geolocated with him?
Well, not for that reason, but yes so that all traffic is securely leaving where ever he happens to be and entering the internet from a known trusted point.
Hmmmm... odd. What's the value in that? Once it is on the Internet it's at the same level of risk. If it isn't safe from the unknown point, it isn't safe this way.
See the other discussion on the dangers of the illusion of security
Well that's not entirely true.
For example, this story from last year https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.dvxkeipfn
This is an example of a hacker joining a local coffee shop network, then creating a MitM attach and then watching all of the non encrypted data flow through.
If the OP uses a VPN to leave the coffee shop before getting on the internet, he doesn't have to worry about the local coffee shop hacker. Just the rest of the hackers who don't have local network level access.
-
@anonymous said:
@scottalanmiller However people in the same coffee shop can't access it.
Is that a concern? I've never understood that one. People in the same coffee shop you protect against but not people elsewhere? What's the specific threat in the coffee shop versus the threat from everywhere else?
-
@Dashrender said:
If the OP uses a VPN to leave the coffee shop before getting on the internet, he doesn't have to worry about the local coffee shop hacker. Just the rest of the hackers who don't have local network level access.
You've just made my point brilliantly. He still has to worry about the same attacks, just not from the coffee drinker that he can see. So the illusion has caused him to not to end to end security because he felt "safe enough" from the illusion and now he is being less safe than he should be. If the data is worth protecting, it's worth more than this level of effort.
Now I agree, this is "real security", it really does prevent that one attack vector but it does create another point of Internet entrance with its own security concerns and path and makes the overall path longer, but it is a trivial addition of security but a lot of illusion, which is my concern.
I have an article about this very thing and even with VPNs that has already gone to publisher, hopefully we see it soon.
-
@scottalanmiller said:
@anonymous said:
@scottalanmiller However people in the same coffee shop can't access it.
Is that a concern? I've never understood that one. People in the same coffee shop you protect against but not people elsewhere? What's the specific threat in the coffee shop versus the threat from everywhere else?
Really? OK I must really be over complicating something then, because I agree with the OP.
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.
It's much more difficult if not impossible for someone on the internet to get that kind of access on the internet at large, vs the local LAN segment.
-
Also, in my case, I want to be able to use connect to my NAS, and do other things that are not going to be public
-
@anonymous said:
Also, in my case, I want to be able to use connect to my NAS, and do other things that are not going to be public
For the NAS you could possibly get a Free Let's Encrypt certificate installed on the NAS and publish it through your firewall, with passwords, etc.
-
@Dashrender I could, but if I have OpenVPN working, why?
-
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
-
I see both sides of this.
I'm wondering if VPN is really needed? it will slow you down performance wise.
A lot of sites use full time encryption now, so even if a hacker like the one in my linked story does manage to hijack you onto this network (should only be possible if you have other open WIFI networks that you have attached to listed in your device), the websites that use TLS you don't have to worry about. Sure they know where you are going, but who cares about that. They can't get inside the tunnel unless they can hack your OS, which maybe they can.
In which case, the VPN doesn't help you anyhow. -
@Dashrender said:
Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.
Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?
-
@anonymous said:
@Dashrender I could, but if I have OpenVPN working, why?
Far more flexible, less exposure. Have an article on this sent to press too. LOL
-
@Dashrender said:
I see both sides of this.
I'm wondering if VPN is really needed? it will slow you down performance wise.
A lot of sites use full time encryption now, so even if a hacker like the one in my linked story does manage to hijack you onto this network (should only be possible if you have other open WIFI networks that you have attached to listed in your device), the websites that use TLS you don't have to worry about. Sure they know where you are going, but who cares about that. They can't get inside the tunnel unless they can hack your OS, which maybe they can.
In which case, the VPN doesn't help you anyhow.Easy when to think of it is that a TLS connection is an application specific, end to end VPN tunnel. Far safer than a traditional VPN because of the limited exposure. As long as you have TLS, the VPN is just redundant. OpenVPN is nothing but a TLS connection itself.
-
Exactly.
@scottalanmiller said:
@Dashrender said:
Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.
Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?
Yes I think it is. Even though we've had the Firesheep threat for several years now many places still don't secure themselves from it. And I ask, why not? Cost has got to be the biggest reason, the cost of the cert, the cost of the extra horsepower for the webserver, etc.
-
@scottalanmiller said:
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.
The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.
-
@scottalanmiller less exposure? How so?
If I do it via a VPN, then the device is only accessible from my local network and anyone on the VPN connection (hopefully just me)
If I open to the world, everyone can bang on it 24/7.
-
@Dashrender said:
Exactly.
@scottalanmiller said:
@Dashrender said:
Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.
Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?
Yes I think it is. Even though we've had the Firesheep threat for several years now many places still don't secure themselves from it. And I ask, why not? Cost has got to be the biggest reason, the cost of the cert, the cost of the extra horsepower for the webserver, etc.
Okay, so the fear is that people are going to go on places like MangoLassi in the short term before Let's Encrypt takes over nearly all sites and that they will post as you?
I'm trying to understand that people are actually worried about this. I'm not saying it can't happen, it certainly can. I'm wondering why we are concerned about it.
ML is going to lock that down in the nearish future, so this will go away as a threat here, but in general I've never felt that this was something that I really had to worry about.
-
@anonymous said:
@scottalanmiller less exposure? How so?
If I do it via a VPN, then the device is only accessible from my local network and anyone on the VPN connect (hopefully just me)
If I open to the world, everyone can bang on it 24/7.
I don't follow. How are you securing your OpenVPN any differently? They are both TLS connections. Can't they bang on either one equally?
-
Or in other words, how do you make one TLS connection invisible to outsiders and expose the other? VPNs are points of exposure the same as anything else.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.
The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.
I don't follow FB security closely. Is that something that is a threat there?